Monday 17 November 2014

Microsoft fixes '19-year-old' bug with emergency patch

The 19-year-old software bug that was discovered by IBM has not been fixed by Microsoft. IBM came to know about this flaw long back (May) but wanted to get the issue fixed as it was affecting office and windows products before making any statement to the general public.

According to IBM, this software bug was present in every single version of Windows since 1995. Windows users are being requested to download the update for the respective windows version, as hackers and attackers will be easily able to exploit their personal computer, which is already affected with the bug. Microsoft has already addressed this issue in their monthly security update and has added more patches to fix the other security issues of the users. They are currently working on few more updates and patches, which will be rolled out soon.

Robert Freeman, IBM researcher has explained the susceptibility in depth in his blog post. He has written that this bug can be easily used by any attacker for creating drive-by attacks and easily run codes remotely on anyone’s computer and they can practically take over the entire machine or system. A drive-by attack in a computer security means that the system attacker will be able to make the user of the system download vulnerable and malicious software.

According to the reports given by IBM, this bug was practically hiding in the plain sight. On the CVSS (the Common Vulnerability Scoring System), the vulnerability - dubbed WinShock has been rated 9.3 out of a possible 10. This means a severity in terms of computer security.

Potential disaster: 

Another bug that has been identified affects the Windows Server platforms of Microsoft. This potentially puts the security of websites at risk, which mainly handle the encrypted data. This bug has been specifically linked with Schannel, which is the company’s software for applying the secure transfer of data. Schannel is also known as Microsoft’s secure channel. Some of the major problems discovered in secure standards include GNUTLS, Apple SecureTransport, NSS, OpenSSL, and Schannel now.

This security flaws has also been compared with Heartbleed bug by the security experts. However, they have also added that the impact of the bug might be on the similar scale as that of Heartbleed bug but the level of exploitation will be difficult for the attackers. When it came to Heartbleed bug, the technological vulnerability was associated with the exploitation of the secure data transfer also known as Secure Sockets Layer (SSL).

Now, the bug has been identified by IBM and a patch has already been released by Microsoft to tackle the issue, there is been no evidence of any complaints being received about potential attacks. However, security experts believe that there are chances of security attacks in the system, which are out of date.

According to the Market researchers, if the bug had been sold out to hackers and attackers, the worth of the same would have easily been in six figures. According to Gavin from Tenable Network Security, just because there is no evidence of any attacks, we should not leave out the security concerns.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.